user manual

ManualsBrandsBorland Software ManualsHome Theater ServerHome Theater Server 6

281

282

283

284

285

286

287

288

289

290

278 BES Developer’s Guide

System Contracts

■

Certificate authentication: when an SSL or HTTPS client request is initiated,

Borland Enterprise Server responds by presenting its digital certificate to

the client. The client then verifies the digital certificate and an SSL

connection is established. The CertAuthenticator class then extracts data

from the client's digital certificate to determine which Borland Enterprise

Server User owns the certificate and then retrieves the authenticated User

from the Borland Enterprise Server security realm.

■

You can also use mutual authentication. In this case, Borland Enterprise

Server not only authenticates itself, it also requires authentication from the

requesting client. Clients are required to submit digital certificates issued by

a trusted certificate authority. Mutual authentication is useful when you

must restrict access to trusted clients only. For example, you might restrict

access by accepting only clients with digital certificates provided by you.

For more information, see "Getting Started with Security" in the Developer's

Guide.

Security Map

In Section 7.5 of the Connectors 1.0 specification, a number of possible

options are identified for defining a Resource Principal on the behalf of whom

sign-on is being performed. VisiConnect implements the Principal Mapping

option identified in the specification.

Under this option, a resource principal is determined by mapping from the

identity of the initiating caller principal for the invoking component. The

resulting resource principal does not inherit the identity of security attributes of

the principal that is it mapped from. Instead, the resource principal derives its

identity and security attributes based on the defined mapping. Thus, to enable

and use container-managed sign-on, VisiConnect provides the Security Map

to specify the initiating principal association with a resourceprincipal.

Expanding upon this model, VisiConnect provides a mechanism to map

initiating caller roles to resource roles.

If container-managed sign-on is requested by the component and no Security

Map is configured for the deployed Resource Adapter, an attempt is made to

obtain the connection using a null JAAS Subject object. This is supported

based upon the Resource Adapter implementation.

While the defined connection management system contracts define how

security information is exchanged between the Borland Enterprise Server and

the Resource Adapter, the determination to use container-managed sign-on or

component-managed sign-on is based on deployment information defined for

the component requesting a connection.

The Security Map is specified with the security-map element in the ra-

borland.xml deployment descriptor. This element defines the initiating role

association with a resource role. Each security-map element provides a

mechanism to define appropriate resource role values for the Resource

Adapter and EIS sign-on processing. The security-map elements provide the

means to specify a defined set of initiating roles and the corresponding